Removing NOCRYPT

Marius Strobl marius at
Tue Apr 27 10:54:44 PDT 2004

On Tue, Apr 27, 2004 at 10:08:30AM +0100, Colin Percival wrote:
>   I would like to remove the NOCRYPT option from FreeBSD before
> 5.3-RELEASE.  There are a number of good reasons for doing this:
> 1. NOCRYPT is almost completely untested, and in the past it has
> often broken (for example, there was a recent release where it
> was impossible to pkg_add without the cryptographic libraries.)
> 2. NOCRYPT has outlived its original purpose.  The separation of
> cryptographic code from non-cryptographic code is a result of
> "munitions" export restrictions in the US which were changed a
> long time ago.
> 3. NOCRYPT causes major headaches.  With the Kerberos options
> removed (or rather, Kerberos 4 removed and Kerberos 5 made
> manditory) this is the only remaining option which can result
> in certain files from the FreeBSD world existing in multiple
> entirely different forms.  Most obviously, this complicates

For telnet(1) and telnetd(8) you currently can have three
different versions:
kerberized telnet - default build
"secure" telnet - built when only NO_KERBEROS is defined
"unsecure" telnet - built when NOCRYPT or NO_OPENSSL is defined

NO_OPENSSL is a subset of NOCRYPT, the difference over NO_OPENSSL
is that libcrypt doesn't include DES and Blowfish and some crypto
LKMs don't get built when NOCRYPT is defined.
So one can argue if either NO_OPENSSL or NOCRYPT can be removed
(I'd vote for NOCRYPT to be removed) but that most likely won't
solve your problem that certain files can exist in different

> release-building; it also adds significant complications to
> FreeBSD Update.
>   If anyone has a really good reason for keeping the NOCRYPT
> option, please let me know.  In particular, I'd like to hear
> from anyone who is actually running a NOCRYPT world.

FYI, I use world built with NO_OPENSSL on most machines so I
catch most of the world problems that would also affect NOCRYPT.

More information about the freebsd-current mailing list